Bug 862937

Summary: Memory leak in perl-libwhisker2 resp. Net::SSLeay
Product: [Fedora] Fedora Reporter: Michal Ambroz <rebus>
Component: perl-libwhisker2Assignee: Petr Pisar <ppisar>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: huzaifas, paul, polpot78, ppisar, rebus
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-05 12:26:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 862577    
Attachments:
Description Flags
libwhisker-init-ssl-engine.patch
none
https_client_whisker.pl none

Description Michal Ambroz 2012-10-04 01:08:53 UTC
Created attachment 621208 [details]
libwhisker-init-ssl-engine.patch

Description of problem:
libwhisker2 resp. Net::SSLeay seems to demonstrate memory leak. 
When nikto2 is using libwhisker together with Net::SSL everything seems to be fine, but when it is used together with Net::SSLeay, program depleats all system memory. 

Version-Release number of selected component (if applicable):


How reproducible:
90% (relies on the response speed of the server, delay in response = problem)

Steps to Reproduce:
1. Install libwhisker2 and Net::SSLeay and Net::SSL
   yum -y install perl-libwhisker2 perl-Net-SSLeay perl-Crypt-SSLeay

2. run nikto from the nikto2 package against some HTTPS host with slow reply:
   nikto host-to-scan.example.com -ssl -port 443

  
Actual results:
By default the Net::SSLeay will be used and will leak all available memory in a short while

Expected results:
It should not leak the memory. If Net::SSL is used instead (for example if Net::SSLeay package is removed) no memory leak is visible and nikto process keeps steadily on something like 30MB.

Additional info:
Tested with:
nikto-2.1.5 (and modified libwhisker)
nikto-2.1.5-3.fc17 (nikto patched to use system wide libwhisker2)
perl-libwhisker2-2.5-5.fc17.noarch
perl-Net-SSLeay-1.48-1.fc17.x86_64
perl-Crypt-SSLeay-0.58-8.fc17.x86_64

Please could you consider adding a patch from nikto2 to libwhisker with possibility to initialize suitabe SSL engine or at least prioritize Net::SSL over Net::SSLeay.

Michal Ambroz

Comment 1 Petr Pisar 2012-10-04 15:13:15 UTC
Current code prefers Net::SSLeay. Changing the preference is not wise for stable Fedora. I can add code selecting implementation, but not to change the default preference (though this could be done in F19).

Comment 2 Petr Pisar 2012-10-04 15:44:14 UTC
What's purpose of "auto" argument for init_ssl_engine()?

The only difference between "auto" and unknown value is that the latter unsets SSL engine if no SSL engine can be found. I'm tempting to remove the "auto" completely.

Comment 3 Michal Ambroz 2012-10-04 20:16:34 UTC
Hi Petre,

I would guess that it is there just for consistency (I mean to have some argument).The init_ssl_engine("auto") is called by default in module initialization. I believe you can remove the "auto" value and call init_ssl_engine() instead.

The current "auto" tries Net::SSL first and then Net::SSLeay, which is quite opposit to what is in pristine 2.5 libwhisker. If you do not want to change the behaviour within one release of Fedora it should be turned around.

For nikto - just the posibility to choose the Net::SSL engine explicitly would be great, no matter what is the defaults.
For slow servers the memory leak in Net::SSLeay is really pretty annoying.

Best regards
Michal Ambroz

Comment 4 Michal Ambroz 2012-10-04 23:00:18 UTC
Created attachment 621841 [details]
https_client_whisker.pl

Attaching testing code for client using libwhisker for HTTPS connection.
As a server you can use simply apache ( yum -y install httpd mod_ssl ; service httpd restart ).

After 2000 requests the process using Net::SSLeay grows as much as 1.5GB.
Comparing to cca 15-30MB with Net:SSL I do not think there is any reason to use Net::SSLeay until it is fixed.

Michal Ambroz

Comment 5 Michal Ambroz 2013-02-21 18:39:06 UTC
Memory leak still problem for the Fedora 18.

Comment 6 Michal Ambroz 2013-02-21 18:46:05 UTC
But the issue is probably not so big - the testscript https_client_whisker.pl seems to be running quite ok on F18 so I guess it might be nikto this time leaking somewhere else.

Comment 7 Fedora End Of Life 2013-12-21 09:02:02 UTC
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Petr Pisar 2014-01-02 06:48:55 UTC
The patch does not apply to sources as the patch is against generated code. I tried to patch the sources, but due the way how the sources are built it's wery hard to do that cleanly (BEGIN sections). Frankly, I don't have time to implement it.

Please go to upstream.

Comment 9 Fedora End Of Life 2014-02-05 12:26:33 UTC
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.